ATTACHMENT 3- Additional Applicable Clauses 


ICE Information Governance and Privacy Requirements Clause (JUL 2017) 

Guidance'. In addition to FAR 52.224-1 Privacy Act Notification (APR 1984), 52.224-2 Privacy 
Act (APR 1984), FAR 52.224-3 Privacy Training (JAN 2017), and HSAR Clauses, the following 
IGP clause must be included in its entirety in all contracts. No section of this clause may be read 
as self-deleting unless the terms of the contract meet the requirements for self-deletion as 
specified in this clause. 

A. Limiting Access to Privacy Act and Other Sensitive Information 

(1) Privacy Act Information 

In accordance with FAR 52.224-1 Privacy Act Notification (APR 1984), and FAR 52.224-2 Privacy Act 
(APR 1984), if this contract requires contractor personnel to have access to information protected by the 
Privacy Act of 1974 the contractor is advised that the relevant DHS system of records notices (SORNs) 
applicable to this Privacy Act information may be found at www.dhs.gov/privacy . Applicable SORNS of 
other agencies may be accessed through the agencies’ websites or by searching FDsys, the Federal Digital 
System, available at http://www.gpo.gov/fdsy s/ . SORNs may be updated at any time. 

(2) Prohibition on Performing Work Outside a Government Facility/Network/Equipment 

The Contractor shall perform all tasks on authorized Government networks, using Government-furnished 
IT and other equipment and/or Workplace as a Service (WaaS) if WaaS is authorized by the statement of 
work. Government information shall remain within the confines of authorized Government networks at 
all times. Except where telework is specifically authorized within this contract, the Contractor shall 
perform all tasks described in this document at authorized Government facilities; the Contractor is 
prohibited from performing these tasks at or removing Government-furnished information to any other 
facility; and Government information shall remain within the confines of authorized Government facilities 
at all times. Contractors may only access classified materials on government furnished equipment in 
authorized government owned facilities regardless of telework authorizations. 

(3) Prior Approval Required to Hire Subcontractors 

The Contractor is required to obtain the Contracting Officer's approval prior to engaging in any 
contractual relationship (Subcontractor) in support of this contract requiring the disclosure of information, 
documentary material and/or records generated under or relating to this contract. The Contractor (and any 
Subcontractor) is required to abide by Government and Agency guidance for protecting sensitive and 
proprietary information. 

(4) Separation Checklist for Contractor Employees 

Contractor shall complete a separation checklist before any employee or Subcontractor employee 
terminates working on the contract. The separation checklist must verify: (1) return of any Government- 
furnished equipment; (2) return or proper disposal of sensitive personally identifiable information (PII), in 
paper or electronic form, in the custody of the employee or Subcontractor employee including the 
sanitization of data on any computer systems or media as appropriate; and (3) termination of any 
technological access to the Contractor’s facilities or systems that would permit the terminated employee’s 
access to sensitive PII. 

In the event of adverse job actions resulting in the dismissal of an employee or Subcontractor employee, 
the Contractor shall notify the Contracting Officer’s Representative (COR) within 24 hours. For normal 
separations, the Contractor shall submit the checklist on the last day of employment or work on the 
contract. 

As requested, contractors shall assist the ICE Point of Contact (ICE/POC), Contracting Officer, or COR 
with completing ICE Form 50-005/Contractor Employee Separation Clearance Checklist by returning all 
Government-furnished property including but not limited to computer equipment, media, credentials and 
passports, smart cards, mobile devices, PIV cards, calling cards, and keys and terminating access to all 
user accounts and systems. 
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B. Privacy Training, Safeguarding, and Remediation 

If the Safeguarding of Sensitive Information (MAR 2015) and Information Technology Security and 
Privacy Training (MAR 2015) clauses are included in this contract, section B of this clause is deemed 
self- deleting. 

(1) Required Security and Privacy Training for Contractors 

Contractor shall provide training for all employees, including Subcontractors and independent contractors 
who have access to sensitive personally identifiable information (PII) as well as the creation, use, 
dissemination and/or destruction of sensitive PII at the outset of the employee’s work on the contract and 
every year thereafter. Training must include procedures on how to properly handle sensitive PII, including 
security requirements for the transporting or transmission of sensitive PII, and reporting requirements for 
a suspected breach or loss of sensitive PII. All Contractor employees are required to take the Privacy at 
DHS: Protecting Personal Information training course. This course, along with more information about 
DHS security and training requirements for Contractors, is available at www.dhs.gov/dhs-security-and- 
training-requirements-contractors . The Federal Information Security Management Act (FISMA) requires 
all individuals accessing ICE information to take the annual Information Assurance Awareness Training 
course. These courses are available through the ICE intranet site or the Agency may also make the training 
available through hypertext links or CD. The Contractor shall maintain copies of employees’ certificates 
of completion as a record of compliance and must submit an annual e-mail notification to the ICE 
Contracting Officer’s Representative that the required training has been completed for all the Contractor’s 
employees. 

(2) Safeguarding Sensitive PII Requirement 

Contractor employees shall comply with the Handbook for Safeguarding sensitive PII at DHS at all times 
when handling sensitive PII, including the encryption of sensitive PII as required in the Handbook. This 
requirement will be flowed down to all subcontracts and lower tiered subcontracts as well. 

(3) Non-Disclosure Agreement Requirement 

All Contractor personnel that may have access to PII or other sensitive information shall be required to 
sign a Non-Disclosure Agreement (DHS Form 11000-6) prior to commencing work. The Contractor shall 
maintain signed copies of the NDA for all employees as a record of compliance. The Contractor shall 
provide copies of the signed NDA to the Contracting Officer’s Representative (COR) no later than two (2) 
days after execution of the form. 

(4) Prohibition on Use of PII in Vendor Billing and Administrative Records 

The Contractor’s invoicing, billing, and other financial/administrative records/databases may not store or 
include any sensitive Government information, such as PII that is created, obtained, or provided during the 
performance of the contract. It is acceptable to list the names, titles and contact information for the 
Contracting Officer, Contracting Officer’s Representative, or other ICE personnel associated with the 
administration of the contract in the invoices as needed. 

(5) Reporting Suspected Loss of Sensitive PII 

Contractors must report the suspected loss or compromise of sensitive PII to ICE in a timely manner and 
cooperate with ICE’s inquiry into the incident and efforts to remediate any harm to potential victims. 

1. The Contractor must develop and include in its security plan (which is submitted to ICE) an internal 
system by which its employees and Subcontractors are trained to identify and report the potential loss 
or compromise of sensitive PII. 

2. The Contractor must report the suspected loss or compromise of sensitive PII by its employees or 
Subcontractors to the ICE Security Operations Center (480-496-6627), the Contracting Officer’s 
Representative (COR), and the Contracting Officer within one (1) hour of the initial discovery. 

3. The Contractor must provide a written report to ICE within 24 hours of the suspected loss or 
compromise of sensitive PII by its employees or Subcontractors. The report must contain the following 
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information: 


a. Narrative or detailed description of the events surrounding the suspected loss or compromise of 
information. 

b. Date, time, and location of the incident. 

c. Type of information lost or compromised. 

d. Contractor’s assessment of the likelihood that the information was compromised or lost and the 
reasons behind the assessment. 

e. Names of person(s) involved, including victim, Contractor employee/Subcontractor and any 
witnesses. 

f. Cause of the incident and whether the company’s security plan was followed and, if not, which 
specific provisions were not followed. 

g. Actions that have been or will be taken to minimize damage and/or mitigate further compromise. 

h. Recommendations to prevent similar situations in the future, including whether the security plan 
needs to be modified in any way and whether additional training may be required. 

4. The Contractor shall provide full access and cooperation for all activities determined by the 
Government to be required to ensure an effective incident response, including providing all 
requested images, log files, and event information to facilitate rapid resolution of sensitive 
information incidents. 

5. At the Government’s discretion, Contractor employees or Subcontractor employees may be 
identified as no longer eligible to access sensitive PI1 or to work on that contract based on their actions 
related to the loss or compromise of sensitive PII. 

(6) Victim Remediation 

The Contractor is responsible for notifying victims and providing victim remediation services in the event 
of a loss or compromise of sensitive PII held by the Contractor, its agents, or its Subcontractors, under this 
contract. Victim remediation services shall include at least 18 months of credit monitoring and, for 
serious or large incidents as determined by the Government, call center help desk services for the 
individuals whose sensitive PII was lost or compromised. The Contractor and ICE will collaborate and 
agree on the method and content of any notification that may be required to be sent to individuals whose 
sensitive PII was lost or compromised. 


C. Government Records Training, Ownership, and Management 

(1) Records Management Training and Compliance 

(a) The Contractor shall provide DHS basic records management training for all employees and 
Subcontractors that have access to sensitive PII as well as to those involved in the creation, use, 
dissemination and/or destruction of sensitive PII. This training will be provided at the outset of the 
Subcontractor’s/employee’s work on the contract and every year thereafter. This training can be 
obtained via links on the ICE intranet site or it may be made available through other means (e.g., CD or 
online). The Contractor shall maintain copies of certificates as a record of compliance and must submit 
an e-mail notification annually to the Contracting Officer’s Representative verifying that all employees 
working under this contract have completed the required records management training. 

(b) The Contractor agrees to comply with Federal and Agency records management policies, including 
those policies associated with the safeguarding of records covered by the Privacy Act of 1974. These 
policies include the preservation of all records created or received regardless of format, mode of 
transmission, or state of completion. 


(2) Records Creation, Ownership, and Disposition 

(a) The Contractor shall not create or maintain any records not specifically tied to or authorized by the 
contract using Government IT equipment and/or Government records or that contain Government 
Agency data. The Contractor shall certify in writing the destruction or return of all Government data at 
the conclusion of the contract or at a time otherwise specified in the contract. 
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(b) Except as stated in the Performance Work Statement and, where applicable, the Contractor’s 
Commercial License Agreement, the Government Agency owns the rights to all electronic information 
(electronic data, electronic information systems or electronic databases) and all supporting 
documentation and associated metadata created as part of this contract. All deliverables (including all 
data and records) under the contract are the property of the U.S. Government and are considered 
federal records, for which the Agency shall have unlimited rights to use, dispose of, or disclose such 
data contained therein. The Contractor must deliver sufficient technical documentation with all data 
deliverables to permit the agency to use the data. 

(c) The Contractor shall not retain, use, sell, disseminate, or dispose of any government data/records or 
deliverables without the express written permission of the Contracting Officer or Contracting Officer’s 
Representative. The Agency and its contractors are responsible for preventing the alienation or 
unauthorized destruction of records, including all forms of mutilation. Willful and unlawful 
destruction, damage or alienation of Federal records is subject to the fines and penalties imposed by 18 
U.S.C. § 2701. Records may not be removed from the legal custody of the Agency or destroyed 
without regard to the provisions of the Agency records schedules. 

D. Data Privacy and Oversight 

Section D applies to information technology (IT) contracts. If this is not an IT contract, section D may 
read as self-deleting. 

(1) Restrictions on Testing or Training Using Real Data Containing PII 

The use of real data containing sensitive PII from any source for testing or training purposes is generally 
prohibited. The Contractor shall use synthetic or de-identified real data for testing or training whenever 
feasible. ICE policy requires that any proposal to use of real data or de-identified data for IT system 
testing or training be approved by the ICE Privacy Officer and Chief Information Security Officer (CISO) 
in advance. In the event performance of the contract requires or necessitates the use of real data for 
system-testing or training purposes, the Contractor in coordination with the Contracting Officer or 
Contracting Officer’s Representative and Government program manager shall obtain approval from the 
ICE Privacy Office and CISO and complete any required documentation. 

If this IT contract contains the Safeguarding of Sensitive Information (MAR 2015) and Information 
Technology Security and Privacy Training (MAR 2015) clauses, section D(2) of this clause is deemed 
self-deleting. 

(2) Requirements for Contractor IT Systems Hosting Government Data 

The Contractor is required to obtain a Certification and Accreditation for any IT environment owned or 
controlled by the Contractor or any Subcontractor on which Government data shall reside for the purposes 
of IT system development, design, data migration, testing, training, maintenance, use, or disposal. 

(3) Requirement to Support Privacy Compliance 

(a) The Contractor shall support the completion of the Privacy Threshold Analysis (PTA) document 
when it is required. PTAs are triggered by the creation, modification, upgrade, or disposition of an IT 
system, and must be renewed at least every three years. Upon review of the PTA, the DHS Privacy 
Office determines whether a Privacy Impact Assessment (PIA) and/or Privacy Act System of Records 
Notice (SORN), or modifications thereto, are required. The Contractor shall provide adequate support 
to complete the PIA in a timely manner, and shall ensure that project management plans and schedules 
include the PTA, PIA, and SORN (to the extent required) as milestones. Additional information on the 
privacy compliance process at DHS, including PTAs, PIAs, and SORNs, is located on the DHS Privacy 
Office website (www.dhs.gov/privacy) under “Compliance.” DHS Privacy Policy Guidance 
Memorandum 2008-02 sets forth when a PIA will be required at DHS, and the Privacy Impact 
Assessment Guidance and Template outline the requirements and format for the PIA. 

(b) If the contract involves an IT system build or substantial development or changes to an IT system 
that may require privacy documentation, the Contractor shall assign or procure a Privacy Lead, to be 
listed under “Key Personnel.” The Privacy Lead shall be responsible for providing adequate support to 
DHS to ensure DHS can complete any required PTA, PIA, SORN, or other supporting documentation 
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to support privacy compliance. The Privacy Lead shall work with personnel from the program office, 
the ICE Privacy Office, the Office of the Chief Information Officer, and the Records Management 
Branch to ensure that the privacy documentation is kept on schedule, that the answers to questions in 
the PIA are thorough and complete, and that questions asked by the ICE Privacy Office and other 
offices are answered in a timely fashion. The Privacy Lead: 

• Must have excellent writing skills, the ability to explain technology clearly for a 
non-technical audience, and the ability to synthesize information from a variety of 
sources. 

• Must have excellent verbal communication and organizational skills. 

• Must have experience writing PIAs. Ideally the candidate would have experience 
writing PIAs for DHS. 

• Must be knowledgeable about the Privacy Act of 1974 and the E-Govemment Act of 

2002 . 

• Must be able to work well with others. 

(c) If a Privacy Lead is already in place with the program office and the contract involves IT 
system builds or substantial changes that may require privacy documentation, the requirement 
for a separate Private Lead specifically assigned under this contract may be waived provided 
the Contractor agrees to have the existing Privacy Lead coordinate with and support the ICE 
Privacy POC to ensure privacy concerns are proactively reviewed and so ICE can complete 
any required PTA, PIA, SORN, or other supporting documentation to support privacy 
compliance if required. The Contractor shall work with personnel from the program office, the 
ICE Office of Information Governance and Privacy, and the Office of the Chief Information 
Officer to ensure that the privacy documentation is kept on schedule, that the answers to 
questions in any privacy documents are thorough and complete, that all records management 
requirements are met, and that questions asked by the ICE Privacy Office and other offices are 
answered in a timely fashion. 

(End of Clause) 
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